NIS2 Directive: Transposition in Germany:
Implementation guide for NIS2 compliance
The NIS2 directive is a legal requirement, compliance with which is provided by the establishment of an information security management system (ISMS). The NIS2 directive states:
“The measures shall comply with the state of the art, take into account the relevant European and international standards and shall be based on an all-hazards approach.”
Best practices for establishing an ISMS are described in the gold standard of the international ISO 27001 standard. It therefore makes sense for many affected companies to use an ISMS in accordance with ISO 27001 as the basis for demonstrating compliance with the NIS2 requirements, regardless of existing or potential certifications. Those who are already ISO 27001 certified have already implemented the biggest step towards NIS-2 compliance.
Project management:
The planning and implementation of an ISMS should be carried out within a project. Due to the high demands on setting up an ISMS, it is recommended that the project also be aligned with high standards in methodology. A controlled environment ensures that scope, time, costs, risks and benefits are optimized and that project risks are taken into account at an early stage. It also ensures that the project results are transferred to operations in a controlled manner in order to generate the corresponding benefits.
The implementation of an ISMS:
Commitment at management level:
NIS2 requires that senior management take overall responsibility for information security within the organization and also communicate compliance with the requirements to employees. This is done by creating an IS policy (information security policy). Senior management must provide the necessary human and financial resources to develop the ISMS and implement the information security strategy.
Scope of the ISMS:
The scope defines which assets, e.g. processes, business areas, locations, applications, etc., are within and which are outside the scope.
To do this, an environment analysis and requirements analysis are created and compared with the company's current state (gap analysis).
Understanding the scope is the basis and essential prerequisite for further planning and provides a defined framework for feasibility, resources, budget, time frame and the handover of the ISMS to operations.
Define long-term IS goals for the ISMS:
good objectives are SMART (specific, measurable, achievable, realistic, time-bound) and aligned with the IS strategy. They include the essential protection goals for integrity, availability and confidentiality. The achievement of the objectives, or the progress, is measured using defined KPIs. The specific measures are ultimately derived from the objectives.
Define roles and responsibilities for establishing, maintaining and continuously improving the ISMS:
The role of a Chief Information Security Officer (CISO) should be established. Furthermore, the roles of risk owner and asset owner are to be defined and established within the ISMS.
IS risk management:
The specific objectives of IS risk management are:
-
Early identification and resolution of IS risks;
-
Establishment of uniform assessment methods for identified risks;
-
Clear assignment of responsibilities for dealing with risks
-
Standardized and clear documentation of risks, including their assessments
-
Efficient risk treatment: reduction, retention, avoidance, transfer
On the basis of the risk assessment, organizations must develop comprehensive risk management plans that include measures for risk minimization, monitoring and reporting.
Monitoring:
It must be ensured that the requirements for implementing the NIS2 directive are continuously met and ensured in practice, which is documented by means of appropriate monitoring:
-
Performance monitoring includes the evaluation of the effectiveness of the ISMS with regard to achieving the security objectives (including NIS2 conformity) and fulfilling the requirements of ISO/IEC 27001.
-
Risk monitoring refers to the assessment and monitoring of security risks in the company and in the ISMS.
-
Compliance monitoring refers to the additional monitoring of compliance with legal requirements and regulatory provisions, but also with internal guidelines and standards.
Communication:
The aim is to describe the need for internal and external communication. This includes, for example, the obligation to report incidents to the BSI or to inform customers. The internal communication needs are to be understood and appropriate communication channels are to be determined. The results are summarized in a communication plan.
Awareness and training:
Creating risk awareness in the company is an essential part of an ISMS. This helps to identify threats at an early stage, avoid security incidents and save the effort that would be required to deal with them. To this end, training concepts and training plans are created.
Supplier relationships:
The requirements of ISO 27001 focus on various protective measures, such as defining processes and procedures and contractual arrangements with the supplier, and reporting channels in the event of incidents. Risks from their IT infrastructure and supply chains must also be taken into account.
ISO 27036 offers a more precise consideration of the supply chain. It describes the necessary processes in detail.
It differentiates between:
-
Supplier relationships for products
-
Supplier relationships for services
-
Supply chain for information technology
-
Cloud computing
Certifications:
Information security for customers is increasingly being provided by suppliers through certifications. ISO 27001 or IT-Grundschutz are particularly suitable for this. In the automotive sector, TISAX® has been established.
NIS2 requires certifications for certain types of entities, in particular for operators of critical facilities.
Incident management:
The aim of the process for handling information security incidents is to take targeted action when an actual security breach or a targeted cyber attack occurs in the organization.
The organization must define a classification of incidents that allows the severity to be determined. For example, a distinction is made between malfunctions, security incidents, emergencies and crises. A corresponding incident response plan must be created that describes the processes after an incident has been detected and how the damage is contained or eliminated.
Continual Improvement:
Companies are required to constantly analyze their processes and results, adapt them to new findings and identify potential for improvement in order to continuously improve their ISMS.
An organization that wants to operate an ISMS in accordance with the standard must therefore define organizational measures that serve as the basis for continuous improvement in a targeted and planned manner. The organization must demonstrate how it ensures that identified deficiencies are not repeated.
Our Services:
Requirements elicitation:
Gap analysis
Defining the solution architecture
-
We create a gap analysis against security best practices and specific standards
-
Carry out a risk analysis to assess the specific cyber security risks.
-
The result is processed as a heat map of the entire control standard.
-
We create an action plan with prioritization and milestones.
-
Consulting and implementation planning to eliminate audit issues
-
IS policies: creation of company-specific information security guidelines
Project Management
-
Business Plan (Scope, Costs, Benefit, Risik, Roadmap)
-
Project Organisation,
-
Project Management,
-
Programm Management.
Certificates:
Prince2 (classic & agil)
Scrum Product Owner
Scrum Master
ITIL4
CISSP
Business Analysis
Requirements Engineering
Arrange a consultation appointment:
Dr. Johannes Faassen
mobil: +49 170 4168039